Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Save more on your purchases! discount-offer-chevron-icon
Savings automatically calculated. No voucher code required.
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Newsletter Hub
Free Learning
Arrow right icon
timer SALE ENDS IN
0 Days
:
00 Hours
:
00 Minutes
:
00 Seconds
Arrow up icon
GO TO TOP
The Art of Social Engineering

You're reading from   The Art of Social Engineering Uncover the secrets behind the human dynamics in cybersecurity

Arrow left icon
Product type Paperback
Published in Oct 2023
Publisher Packt
ISBN-13 9781804613641
Length 234 pages
Edition 1st Edition
Arrow right icon
Authors (2):
Arrow left icon
Cesar Bravo Cesar Bravo
Author Profile Icon Cesar Bravo
Cesar Bravo
Desilda Toska Desilda Toska
Author Profile Icon Desilda Toska
Desilda Toska
Arrow right icon
View More author details
Toc

Table of Contents (17) Chapters Close

Preface 1. Part 1: Understanding Social Engineering
2. Chapter 1: The Psychology behind Social Engineering FREE CHAPTER 3. Chapter 2: Understanding Social Engineering 4. Chapter 3: Common Scam Attacks 5. Chapter 4: Types of Social Engineering Attacks 6. Part 2: Enhanced Social Engineering Attacks
7. Chapter 5: Enhanced Social Engineering Attacks 8. Chapter 6: Social Engineering and Social Network Attacks 9. Chapter 7: AI-Driven Techniques in Enhanced Social Engineering Attacks 10. Chapter 8: The Social Engineering Toolkit (SET) 11. Part 3: Protecting against Social Engineering Attacks
12. Chapter 9: Understanding the Social Engineering Life Cycle 13. Chapter 10: Defensive Strategies for Social Engineering 14. Chapter 11: Applicable Laws and Regulations for Social Engineering 15. Index 16. Other Books You May Enjoy

Understanding the art of manipulation

Social engineering is the art of manipulating users to perform actions or divulge confidential information for the benefit of the attacker.

Examples of those actions can be as follows:

  • Install a given software (which may contain malware)
  • Remove some security settings or applications (disable the antivirus, firewall, etc.)
  • Execute an unknown command that may impact the confidentiality, integrity, or availability of data (for example, delete a table using SQL commands)
  • Create or edit an active user (that will provide access to the attacker)
  • Change system configurations (to facilitate access to data)

Additionally, examples of the types of information that the attacker may want to gather from the victims are as follows:

  • User credentials (usernames, passwords, etc.)
  • Trade secrets
  • Organizational information (which can be used later for whaling attacks)
  • Financial information
  • Corporate sensitive information (clients, price lists, etc.)
  • Sensitive personal information (used for impersonation attacks)

While most people believe they will never fall victim to this type of attack, the truth is that we are all susceptible to a social engineering attack.

In fact, social engineering attacks have evolved into well-fabricated scenarios that are carefully crafted to leverage a series of physiology paradigms to effectively trick and manipulate the victim without them even noticing that they are under attack.

Therefore, organizations must invest time and resources to include social engineering awareness campaigns as part of their cybersecurity strategy to reduce the risks of employees falling into these types of attacks.

A common mistake is to focus social engineering awareness campaigns on IT people, while in reality, attackers prefer to attack other employee profiles, as follows:

  • Non-IT employees: Attackers assume that non-IT personnel are less aware of the consequences of executing a given command. The following figure shows a typical example of how an attacker can manipulate an employee into executing a command to delete hundreds and even thousands of records in a database:
Figure 1.1 – Manipulating non-IT employees

Figure 1.1 – Manipulating non-IT employees

  • Overwhelmed users: We all know that some companies are happy to assign overwhelming workloads and job responsibilities to some employees. This is, of course, a terrible business practice, but it can also become a vulnerability that attackers may want to exploit. For example, as shown in the following figure, an attacker can manipulate an overwhelmed employee to gather access to a restricted location (which will enable the attacker to perform a super dangerous physical attack):
Figure 1.2 – Manipulating overwhelmed users

Figure 1.2 – Manipulating overwhelmed users

  • Sales teams: Sales teams are normally overstretched to achieve sales quotas at the end of the quarter. Attackers can leverage that stress to manipulate the victim to perform a restricted action, as highlighted in the following figure:
Figure 1.3 – Manipulating sales teams

Figure 1.3 – Manipulating sales teams

  • Executive assistants: Executive assistants handle a lot of sensitive information that is a potential target for attackers. Therefore, executive assistants are a common target that attackers may try to manipulate to gain access to that information. The following figure shows an example of how an attacker can impersonate an IT manager to obtain a password reset code to gain access to the senior manager’s account:
Figure 1.4 – Manipulating executive assistants

Figure 1.4 – Manipulating executive assistants

Of course, those are only a few examples of groups that are more prone to be attacked by a social engineering attack, but in the end, what we want to highlight is the importance of ensuring that the organization is well-trained and aware of the threats of social engineering attacks.

The bottom line is that users are the biggest layer of defense to prevent those attacks in your organization, therefore, ensuring that everyone is well-trained to recognize those attacks should be a key component in your cybersecurity strategy.

Now, while manipulation is the art used by attackers, there are a lot of psychological principles behind this that enable the attacker to successfully manipulate users not only to perform those actions but to do it without doubting the intention of the attacker. Now, let’s review them in detail.

You have been reading a chapter from
The Art of Social Engineering
Published in: Oct 2023
Publisher: Packt
ISBN-13: 9781804613641
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image